A Technology Blog

Main menu

Monthly Archives: January 2010

I came across a situation where I had an ASA 5505 connected to a 3750 switch via two physical interfaces. These interfaces were both on the same chassis of a two chassis 3750 stack. This ASA has been running well for some time and no issues had arisen until one of the two 3750’s experienced an issue (the one connected to the ASA of course) causing an Internet outage. I did some research and didn’t find anything on the ASA end of things that would allow for redundant links to the secondary switch. Then as I was reading through a Cisco Catalyst IOS configuration guide I saw something about “Flex Links” and struck gold! Simply put Flex Links allow backup interfaces to be administratively defined on a switch (or stack of switches). The configuration one the switch side is very straightforward as shown in the example below. The ASA configuration is very simple as well. I simply assigned the appropriate VLAN’s to the ASA switched interfaces and attached the cables to the proper backup interfaces on my second stacked switch. The ports that are in a standby state will have orange status lights but will show “up/up” on both ends.

This configuration statically configures port Gig1/0/23 as a backup for Gig2/0/23 and Gig1/0/24 as a backup for Gig 2/0/24. The “preemption mode forced” command simply means that if a failed primary interface becomes available a failback will occur rather than just remaining in the last working state.

Two very useful show commands are “show interfaces switchport backup” which provides a simple output showing active and backup interfaces:

The Cisco ASA platform ships with default licensing that permits two simultaneous WebVPN sessions. If users don’t logout when they finish using WebVPN the ASA still considers these sessions open and will consume licensing until the timeout period expires. There are two useful commands to troubleshoot issues surround WebVPN sessions. The first command shows current WebVPN sessions: